I also ran a 2nd scan and outputted it to XML format, so it could be easily imported into metasploit for later.

We scan see that we have FTP, SSH, and a webserver running on this target. As a last resort we could attempt to bruteforce our way into SSH using the user marlinspike, which can be found when booting up the Ubuntu instance. For now, let’s start by checking out the website.

Navigating to http://192.168.59.137/ I am brought to a default “It works!” webpage. Checking the source provides no additional information and neither does the robots.txt file. I am not fully convinced that this webserver is running for no reason so I decide to use dirb to enumerate some directories for me.

Our tool discovers a hidden directory listed as “/secret” and it turns out to be a Wordpress blog, which is slightly broken. The blog keeps trying to load additional content and styling from a “vtcsec” domain, which I later discovered is the hostname of our target. Since “vtcsec” doesn’t resolve to anything for us, the blog’s styling is all out of whack. I’m sure if you go into your hosts file and map “vtcsec” to the correct local IP, it will fix the issue.

Anyway, for my next trick…more enumeration! Since wordpress, more specifically wordpress plugins, is known to have vulnerabilities, I decide to take a quick stab at it with wpscan. Unfortunately, wpscan isn’t able to give us much other than some version numbers and this:

0x03 Conclusion

Looks like that remote exploit got us a root shell, the challenge is complete I snooped around the filesystem a little bit but found nothing of interest. No flags, not even in /home/marlinspike. If this were a target network we were compromising and not just this one machine, it is at this point we would want to try and maintain persistence. We could drop more backdoors, start passively listening on the network to discover more hosts or steal credentials, etc. That is out of the scope of this write-up though.

This challenge is definitely geared towards beginners and those wanting to get their feet wet with pentesting and compromising a target system. Not a whole lot of trickery or dead ends in this one.